Hi

I am using the following one-liner to list the users of the nested security groups but I'm aware that it is not  capturing any user accounts in the origional group.

get-qadgroup "domain admins" | get-qadgroupmember | where { $_.type -eq "group"} | get-qadgroupmember

 

Is there a better way to do this that will captuer all users that are members of the origional group and it's nested groups?

Thanks

Lee

You'll only get the members from one level of nesting doing that too. What you need is a self-referencing function to iterate through all the levels of nesting:

Function Get-NestedGroupMember($group) {
Get-QADGroupMember $group | where{$_.type -eq "group"} | foreach{Get-NestedGroupMember($_)}
Get-QADGroupMember $group | where{$_.type -ne "group"}
}
Get-NestedGroupMember("domain admins")

Better still... (PowerShell scripting is an iterative process! ;-))

Function Get-NestedGroupMember($group) {
Get-QADGroupMember $group | foreach{
if($_.type -eq "group"){Get-NestedGroupMember($_)}
else {$_}}
}
Get-NestedGroupMember("domain admins")

There a builtin switch for that:

PS > Get-QADGroupMember "domain admins" -Indirect

-Indirect
Supply this parameter on the command line if you want the cmdlet to retrieve objects that belong to the specified group because of group nesting, in addition to objects that are direct members of the group. If this parameter is omitted, the cmdlet retrieves only those objects that are direct members of the group.

Those Quest folk think of everything, don't they?! ;-)

There are two pretty useful functions in the AD PowerPack for PowerGUI that predate the -Indirect flag on the Get-QADGroupMember cmdlet: Get-QADGroupMemberRecursive and Get-QADGroupMembership. These functions allow you to retrieve the nested group members or the recursive membership for a computer, user, or group. Here's an example of how you might use the Get-QADGroupMemberRecursive function:

[402] PS↑ C:\> Get-QADGroup 'domain admins' | Get-QADGroupMemberRecursive -IncludeAllInstances -SuppressGroupOutput | Format-Table -Property Name,Type,MemberFrom

What I like about these functions is that they allow you to control the output a little more, suppressing the actual groups in the nested group members, for example, or showing the DN for the group through which the user, group or computer was a member. You can also optionally show every instance of a group member, so if users are members of a given group through multiple nested groups you can pick that up. Very useful when trying to figure out where group members come from.

If you have PowerGUI, just open the Active Directory folder in the admin console and click on the Groups node. When the groups start showing up, you'll see a Group members (recursive) and a Group membership (recursive) link, each of which contains one of the two functions I am referring to here.

There are a lot of useful scripts and functions like this behind the nodes, links and actions in the PowerGUI admin console.

--
Kirk Munro [MVP]
Poshoholic
http://poshoholic.com

Thanks guys, i've not really used PowerGUI but i'll definately find the time to look and see how it might help.

Thanks

Lee